IoT is a Quagmire

By Doc Sheldon on October 19, 2018

For several years now, an enterprising soul with few scruples could find online instructions on how to build a very inexpensive scanner device that can extract the code to open electric garage doors in a few seconds. That ability has existed longer than the Internet.

As is usually the case, new technology presents new opportunities to misuse that technology – email certainly created a tremendous number of exploits. Phishing scams, infection with malware, identity theft… criminals are always going to look for ways to take advantage of others. This is invariably made easier if users have a false sense of security.

The growth of the IoT (Internet of Things) is presenting a target-rich environment for criminals, as people install gadgets to modernize their homes, without ensuring the components and systems they install are secure against compromise. And security is the aspect that seems to be receiving the least attention from both users and manufacturers.

Let’s take a look at a hypothetical situation – the first step toward a “smart home” that many homeowners begin with – a home security system.

Ray and Karen Driscoll bought a 15-year old tract home and decided they wanted to make it as secure as possible, without spending a fortune. So, Ray researched the options and decided that since he was going to be doing his own remodeling anyway, a DIY installation of the security system made sense. For a few hundred dollars, he found a system that seemed to meet his requirements, which included:

Once their new home was ready to move into, Ray bought a small smart TV and went about setting up the system. The setup process proved to be simple enough and he was soon able to monitor all the system’s security devices from the television, using the remote control that came with the system hub.

Within a few months, they added 3 more cameras, 2 more floodlights and a couple of more sophisticated devices – a smart thermostat, electronic door lock on the front door and the ability to control the system from his iPhone.

With a comprehensive security system, Karen felt much more comfortable about leaving the home unattended when she’d go out after Ray had left for his office. There had been a couple of burglaries in the neighborhood over the last few months, but both were sure they were safe. Ray would be automatically notified on his phone if anything happened, so he could call the police immediately.

With the latest additions to their system – the thermostat and electronic lock – the Driscolls had begun their transition to a smart home. The savings from the automatic adjustment of the home’s temperature settings at night had already been reflected in their electric bill and the peace of mind they enjoyed from the security system was substantial. They often joked about what might be the next addition… maybe a fridge that would call Ray and tell him to pick up milk and eggs on this way home, teased Karen. Ray said he leaned more toward activating the sprinkler system when the soil got too dry, but he might hold off until someone came out with a smart lawnmower or a robot that would take the trash out.

Then one Sunday they came home from a church picnic and found their front door open. Ray told Karen to stay in the car while he went inside. As he was getting out of the car, he quickly checked his phone to see if the system had sent him a notification. Nothing.

He found nobody in the house, but drawers were emptied on the floor, the contents of closets had been strewn across the room and his laptop, the big-screen TV, Karen’s antique jewelry box and a couple hundred music CDs were gone. He signaled Karen to come in and he called the police.

About 45 minutes later, a squad car showed up and one officer checked for the point of entry while the other asked the couple what seemed like an endless string of questions.

Does anyone besides the two of you have a key to the house?

-No, and we have a security system – a good one!

Does anyone else have the code?

-There is no code, it’s controlled by our phones.

Is your system monitored by a service?

-No, but it notifies me on my phone of anything out of the ordinary. I got nothing!

The questions continued… what’s missing, have you had any recent visitors you don’t know well, do you have a dog, how long were you gone, etc.

The other officer came into the room, shrugging, I see no evidence of forced entry, Sarge.

The sergeant said it looks like someone may have just overcome your security system. Sadly, that’s not uncommon and according to the experts, relatively easy to do.

-That can’t be what happened here, our system is encrypted.

I’m only saying it’s a possibility – one you should consider, before trusting your system to protect you and your valuables. I’d suggest you speak to an expert, though… this sort of thing is way over my head.

The sergeant gave them a copy of the report and a department business card with his name and badge number scribbled on the back. He and his partner then left, with Ray and Karen standing there even more bewildered than before. How could this happen, why didn’t the system notify Ray, was their whole system vulnerable?

Ray spent the next couple of hours on the Internet, looking for a security company to come tell them how someone had gained entry to their home. He finally spoke to someone named Carl at a firm that had a ton of recommendations and testimonials, as well as a long list of business clients in the area. Carl said he could come over around 3PM.

How

At 2-minutes to 3, the doorbell rang and Ray opened the door to find a man in slacks and a polo shirt with the company’s name on it.

Ray Driscoll? asked the man. I’m Carl Freeman, of Vantage Security.

Carl shook his hand and invited him in, thanking him for being available on such short notice. He then proceeded to tell Carl what they had found when they returned home and what the police had said.

The officer’s right, unfortunately… it’s not at all uncommon. Sadly, many so-called security systems aren’t so secure, and the majority of sensors on the market are open invitations to exploits. Can I see your system?

Ray took him into the living room, where the hub was installed, activated the screen to show the system’s dashboard and handed Carl the remote control.

Hmmm, I see you have a lot of wireless devices connected. That could be the heart of your problem. Can you take me around and show me those devices?

Ray took him to the window and showed him the sensor that was installed there.

–This is the same sensor I put on both doors and all the downstairs windows.

Carl peered at the device, then popped of the cover and looked at the label inside the cover. Okay, this is a good one. All the signals between it and the hub are encrypted. How about the rest of the interior sensors?

-There’s a camera in my wife’s sewing room. That’s what will become the nursery when the time comes. But that’s a hard-wired camera – do you want to see it, too?

Let’s look at the rest of your system first. Anything else inside?

-Just the doorbell sensor, and that’s hard-wired, too.

Okay, how about outside?

-We’ve got 4 floodlights and 2 motion detectors to control 2 of them – 2 others with built-in motion detectors – and we have a wireless camera on the front porch and 3 more around the yard.

Let’s see those cameras, said Carl.

As they stepped out on the front porch, Ray noticed Carl glancing at the electronic lock device on the door.

–that’s hard-wired, said Ray, anticipating a question.

Carl shifted his gaze to the camera. Is the camera in your wife’s sewing room the same brand?

-Yes, but it’s just indoor rated. The others are identical to this one.

Okay, let’s check out the outside lighting setup.

Ray led Carl around to the side of the house and pointed up at a floodlight, then to a separate motion detector mounted about 3-feet away from it. There was only a small power cable connected to the detector, disappearing into a tiny hole into the attic space. Carl said all the motion detectors are wireless?

-Yes, said Ray. I couldn’t see running cable from each sensor, when the system’s designed for wireless. Kinda defeats the purpose.

Show me one of the other floodlights – the ones with the integrated motion detectors.

Leading Carl to the far end of the back yard, Ray pointed to a floodlight that was mounted under the eaves of the shed. This light was different from the first one.

Carl looked at Ray. Unfortunately, that make of motion detector sends unencrypted signals, Mr. Driscoll. I can’t be sure until I look at your system’s log files, but I’d wager this is how someone hacked into your system.

-But why would anyone take the time to hack into a motion detector? All it does is control this one light.

Well, in terms of time, you’re probably looking at something in the 5 to 10-second range, sir. They could do that while ostensibly searching for a lost dog or pretending to do maintenance on your air conditioner or sprinkler system. And they couldn’t care less about controlling that light… they wanted into that motion detector because it was the back door into your entire home network. If I’m right, that’s how they deprogrammed your notifications and unlocked your front door. Let’s go take a closer look at your hub – I want to see what tales your log has to tell.

An hour later, Carl shook hands and left, having determined that someone had indeed used that off-brand motion detector to gain entry to the hub. From there, they’d taken total control of the system, turned off the audible alarm, killed the automatic notifications to Ray’s phone and unlocked the front door. The rest was history.

Ray hadn’t appreciated it much when Carl had pointed out that their losses had really been remarkably slight, given that the outcome could have been a lot worse if the burglars had tried to break in at night, while they were home. Karen was already at her wit’s end and didn’t need to imagine what could have happened.

Nevertheless, he had contracted Vantage Security to replace the non-encrypted devices and harden the installation with a special double-encryption access point.

Why

So, let’s look at why this happened to the Driscolls.

Ray had been very diligent in selecting the brand of system he purchased, even to the point of ensuring that communications between the hub and the system devices was encrypted. He had even beefed up his Internet connection’s firewall while he was at it. But it had never occurred to him that buying those last two off-brand floodlights from a local hardware store might provide backdoor access into the system.

And he and his wife were even more troubled when one of Karen’s friends told them that she had received obscene pictures from Ray’s email address. That’s when they learned that the thief had managed to hack into his email account and had changed his password. A few quick checks showed Ray that over $900 was missing from his checking account, as well. Then, a few days later, he was unable to log into his Facebook account and found that they had taken over that account, too.

The sad fact is that, at present, there is no effective regulation of what security features such devices, “smart” or otherwise, must provide. With just a single device allowing unfettered access to their hub – and by extension, to their home network – all data on all connected devices was at risk.

Additionally, what little discussion there is regarding the implementation of such regulation is mostly on the state level, so the state-by-state requirements are likely to differ considerably. For manufactures to comply with such a patchwork of standards will mean they’ll have to comply with the most stringent, which may or may not be appropriate. That will drive up costs, also resulting in slowing the development of new systems and components. Basically, everybody loses.

Doc Sheldon has been providing SEO consulting services for nearly 15 years. His passions are technical on-page SEO and the Semantic Web. Fluent in Spanish, he has also provided consulting services to several large clients, specializing in cross-border operations in Latin America.
Early on, he saw exciting potential for those who could figure out what the search engines might do next, and were willing to work within the guidelines set by the search engines. To that end, he first founded his content strategy agency, and later launched his SEO agency, now serving clients on four continents with technical SEO services, content and WP website customization.

One Comment

Donna
October 19, 2018

Great article, and good timing too. We’ll be moving soon, and we were discussing doing all of this at the new place. I’m a little savvy with this stuff, but I hadn’t thought of the off-brand encryption issue. So thanks for the tip, plus it was a lot more interesting to read it in context as a story, than just some dry text.